[keycloak-user] Is LDAP Bind Credential encrypted in the database?
Rashiq
rysiek at occrp.org
Fri Dec 9 05:34:41 EST 2016
Hi,
Dnia piątek, 9 grudnia 2016 08:22:50 CET Bruno Oliveira pisze:
> On 2016-12-09, Michael Furman wrote:
> > Hi all,
> > Is LDAP Bind Credential encrypted in the database?
> > What algorithm is used?
>
> Take a look at
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/thre
> at/password-db-compromised.html
I think the question was not about hashing Keycloak user passwords, but about
encrypting the password used to bind keycloak to the LDAP server configured as
an Identity Provider for Keycloak. Is that correct, Michael?
In such case, the password cannot be hashed (as Keycloak has to have access to
it to provide it to the LDAP server upon connecting).
My *guess* is that the bind password could be encrypted, but database
compromise would nonetheless let a potential attacker get to the password (if
in no other way, by setting up their own Keycloak instance and using the db
for it).
There's no way around it, I think -- Keycloak has to have access to the clear-
text LDAP password, one way or another, to bind to the LDAP server.
--
Pozdravi,
rashiq
More information about the keycloak-user
mailing list